Pacifyr

Effective date: September 20 th , 2017

This Business Associate Agreement (“BA Agreement”) is a binding contract between you, the Covered Entity (“Counselor”), and Pacifyr Inc., the Business Associate (“Pacifyr”).

Remember that your use of Pacifyr’s Services is at all times subject to the Terms of Use (Counselors) (the “Terms”), which incorporates this BA Agreement, and the Privacy Policy.

In connection with your use of Pacifyr’s Services, Pacifyr and Counselor anticipate that Pacifyr will create or receive Protected Health Information from and/or on behalf of Counselor, which information is subject to protection under the Federal Health Insurance Portability and
Accountability Act of 1996, Pub. L. No. 104191, as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), and related regulations promulgated by the Secretary (together “HIPAA”).

Any terms we use in this BA Agreement without defining them have the definitions given to them either in the Terms or in HIPAA as in effect or as amended from time to time.

1. Obligations and Activities of Pacifyr.

a. Use and Disclosure. If Protected Health Information is created by or disclosed to Pacifyr, Pacifyr agrees not to use or disclose Protected Health Information other than as permitted or required by the Terms, this BA Agreement or as Required by Law. Pacifyr shall
comply with the provisions of this BA Agreement relating to privacy and security of Protected Health Information and all present and future provisions of HIPAA that relate to the privacy and security of Protected Health Information and that are applicable to “business associates,” as that term is defined in HIPAA.

b. Appropriate Safeguards. Pacifyr agrees to use appropriate safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by this BA Agreement. Without limiting the generality of the foregoing sentence, Pacifyr will:

i. Implement administrative, organizational, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of the Counselor as required by the Security Rule;

ii. Report to Counselor any Security Incident involving Electronic Protected Health Information of which Pacifyr becomes aware. Any actual, successful Security Incident will be reported to Counselor in writing without unreasonable delay. Any attempted,
unsuccessful Security Incident of which Pacifyr becomes aware will be reported to Counselor orally or in writing on a reasonable basis, as requested by Counselor. If HIPAA is amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.

iii. Notify Counselor following the discovery of a Breach of Unsecured Protected Health Information in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 60 days (or within any shorter deadline imposed by applicable
State law) after discovery of the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Pacifyr or any employee, officer or agent of Pacifyr, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured Protected Health Information shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by Pacifyr to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security
Incident or Breach.

c. Reporting. Pacifyr agrees to report, without unreasonable delay, to Counselor any use or disclosure of Protected Health Information by Pacifyr or a third party to which Pacifyr disclosed Protected Health Information not permitted by this BA Agreement of which Pacifyr
becomes aware.

d. Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Pacifyr shall only request, use and disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure.

e. Mitigation. Pacifyr agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Pacifyr of a use or disclosure of Protected Health Information by Pacifyr in violation of the requirements of this BA Agreement (including,without limitation, any Security Incident or Breach of Unsecured Protected Health Information). Pacifyr agrees to reasonably cooperate and coordinate with Counselor in the investigation of any violation of the requirements of this BA Agreement and/or any Security Incident or Breach. Pacifyr shall also reasonably cooperate and coordinate with Counselor in the preparation of any reports or notices required to be made under HIPAA or any other Federal or State laws, rules or regulations, to any Individual (entitled to notice in connection with a Breach), regulatory body, or any third party, provided that any such reports or notices shall be subject to the prior written approval of Counselor.

f. Subcontractors. Pacifyr shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives,
maintains or transmits Protected Health Information on behalf of Pacifyr. Pacifyr shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Pacifyr through this BA Agreement.

g. Access to Designated Record Sets. To the extent that Pacifyr maintains Protected Health Information in a Designated Record Set, Pacifyr agrees to provide access, at the request of Counselor, and in the time and manner designated by the Counselor, to Protected Health Information in a Designated Record Set created or received by Pacifyr solely on behalf of Counselor only, to Counselor or, as directed by Counselor, to an Individual in order to meet the requirements under HIPAA Regulations. If an Individual makes a request for access to Protected Health Information directly to Pacifyr, Pacifyr shall notify Counselor of the request within ten (10) business days of such request. Counselor shall have the sole responsibility to make decisions regarding whether to approve a request for access to Protected Health Information.

h. Amendments to Designated Record Sets. To the extent that Pacifyr maintains Protected Health Information in a Designated Record Set, within thirty (30) days of a receipt of a request from Counselor for the amendment of an Individual’s Protected Health Information
contained in such Designated Record Set, Pacifyr agrees to provide such Protected Health Information to Counselor for amendment and to incorporate any such amendment(s) to Protected Health Information in the Designated Record Set maintained by the Pacifyr pursuant to HIPAA Regulations and in the time and manner designated by the Counselor. If an Individual makes a request for an amendment to Protected Health Information directly to Pacifyr, Pacifyr shall notify Counselor of the request within ten (10) business days of such request. Counselor will have the sole responsibility to make decisions regarding whether to approve a request for amendment to Protected Health Information.

i. Access to Books and Records. Pacifyr agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Pacifyr on behalf of, Counselor available to the Secretary for purposes of the Secretary determining Counselor’s and Pacifyr’s compliance with the Privacy Rule. j. Accountings. Pacifyr agrees to, within thirty (30) days of request for an accounting of disclosures of Protected Health Information from Counselor, make available to
Counselor such information as is in Pacifyr’s possession and as would be required for Counselor to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA. If Pacifyr receives a request for an accounting directly from an Individual, Pacifyr shall forward such request to Counselor within ten (10) business days. Counselor shall have the sole responsibility to provide an accounting of disclosures.

2. Permitted Uses and Disclosures by Pacifyr.

a. Terms. Except as otherwise limited in this BA Agreement, Pacifyr may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Counselor as specified in the Terms, provided that such use or disclosure would not
violate HIPAA if done by Counselor or the minimum necessary policies and procedures of the Counselor.

b. Use for Administration of Pacifyr. Except as otherwise limited in this BA Agreement, Pacifyr may use Protected Health Information for the proper management and administration of the Pacifyr or to carry out the legal responsibilities of the Pacifyr. Counselor acknowledges and agrees that proper management and administration of Pacifyr includes, without limitation, modifications or upgrades to its software or services, and development of new features or functionality thereof, or new related product or services.

c. Disclosure for Administration of Pacifyr. Except as otherwise limited in this BA Agreement, Pacifyr may disclose Protected Health Information for the proper management and administration of the Pacifyr, provided that (i) disclosures are Required by Law, or (ii) Pacifyr
obtains reasonable assurances from the third party to whom the information is disclosed that the third party will (a) protect the confidentiality of the Protected Health Information, and (b) use or further disclose the Protected Health Information only as Required by Law or for the purpose for which it was disclosed to the third party.

d. Data Aggregation. Pacifyr may use Protected Health Information to provide Data Aggregation services relating to the Health Care Operations of Counselor if required or permitted under this Agreement or the Terms.

e. De-Identified Information. Pacifyr may use Protected Health Information to create de-identified health information in accordance with the HIPAA de-identification requirements. Pacifyr may disclose de-identified health information for any purpose permitted by law.

3. Obligations of the Counselor.

a. Permissible Requests by Counselor. Except as set forth in Section 1 of this BA Agreement, Counselor shall not request Pacifyr to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Counselor.

b. Minimum Necessary PHI. When Counselor discloses Protected Health Information to Pacifyr, Counselor shall provide the minimum amount of Protected Health Information necessary for the accomplishment of Pacifyr’s purpose.

c. Permissions; Restrictions. Counselor warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of Protected Health Information to Pacifyr. Counselor shall notify Pacifyr of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Pacifyr’s use or disclosure of Protected Health Information. Counselor shall not agree to any restriction on the use or disclosure of Protected Health Information under 45 C.F.R. § 164.522 that restricts Pacifyr’s use or disclosure of Protected Health Information under this BA Agreement unless Pacifyr grants its written consent.

d. Notice of Privacy Practices. Except as required under HIPAA or other applicable law, with Pacifyr’s consent or as set forth in the Terms, Counselor shall not include any limitation in the Counselor’s notice of privacy practices that limits Pacifyr’s use or disclosure of
Protected Health Information under this BA Agreement.

4. Term and Termination.

a. Term. This BA Agreement shall be effective as of the date of this BA Agreement and shall terminate when all of the Protected Health Information provided by Counselor to Pacifyr, or created or received by Pacifyr on behalf of Counselor, is destroyed or returned to
Counselor, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.

b. Termination Upon Breach. Any other provision of this BA Agreement notwithstanding, either party (the “Non-Breaching Party”), upon knowledge of a material breach by the other party (the “Breaching Party”), shall provide an opportunity for the Breaching Party to cure the breach or end the violation. If Breaching Party does not cure the breach or end the violation within thirty (30) calendar days, the Non-Breaching Party may terminate: (A) this BA Agreement; and (B) all of the provisions of the Terms that involve the use or disclosure of Protected Health Information In the event that termination of this BA Agreement is not feasible, in the Non-Breaching Party’s sole discretion, the Non-Breaching Party has the right to report the breach to the Secretary.

c. Effect of Termination.

i. Except as provided in Section 4(c)(ii), upon termination of this BA Agreement, for any reason, Pacifyr shall return or destroy all Protected Health Information received from Counselor, or created or received by Pacifyr on behalf of Counselor. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Pacifyr. Pacifyr shall retain no copies of the Protected Health Information.

ii. In the event that Pacifyr reasonably determines that returning or destroying the Protected Health Information is infeasible, Pacifyr shall extend the protections of this BA Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Pacifyr maintains such Protected Health Information. Counselor acknowledges and agrees that (i) it is infeasible for Pacifyr to delete Practice Protected Health
Information from its backup tapes or other backup systems and (ii) it is infeasible for Pacifyr to delete all Practice Protected Health Information during an ongoing investigation in connection with a Security Incident or Breach of Unsecured Protected Health Information, and that temporarily retaining certain Practice Protected Health Information may be necessary for such investigation.

5. Compliance with HIPAA Transaction Standards.

When providing its services and/or products, Pacifyr shall comply with all applicable HIPAA standards and requirements (including, without limitation, those specified in 45 CFR Part 162) with respect to the transmission of health
information in electronic form in connection with any transaction for which the Secretary has adopted a standard under HIPAA (“Covered Transactions”). Pacifyr will make its services and/or products compliant with HIPAA’s standards and requirements no less than thirty (30) days prior to the applicable compliance dates under HIPAA. Pacifyr represents and warrants that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Pacifyr shall comply with any modifications to HIPAA standards and requirements which become effective from time to time. Pacifyr shall require all of its agents and subcontractors (if any) who assist Pacifyr in providing its services and/or products to comply with the terms of this Section 5.

6. Miscellaneous.

a. Regulatory References. A reference in this BA Agreement to a section in HIPAA, means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.

b. Amendment. Pacifyr agrees to take such action as is necessary to amend the Terms from time to time as is necessary to comply with the requirements of HIPAA.

c. Survival. The respective rights and obligations of Pacifyr under Section 4 (c) of this BA Agreement shall survive the termination of the Terms or this BA Agreement. d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA.

e. Miscellaneous. The terms of this BA Agreement are hereby incorporated into the Terms. To the extent that Pacifyr receives Protected Health Information from or on behalf of Counselor and except as otherwise set forth in Section 6(d) of this BA Agreement, in the event of
a conflict between the terms of this BA Agreement and the terms of the Terms, the terms of this BA Agreement shall prevail. The terms of the Terms which are not modified by this BA Agreement shall remain in full force and effect in accordance with the terms thereof. This BA Agreement shall be governed by, and construed in accordance with, the laws of the State of [Delaware], exclusive of conflict of law rules. Each party to this BA Agreement hereby agrees and consents that any legal action or proceeding with respect to this BA Agreement shall only be brought in the courts located in [Delaware]. The Terms and Privacy Policy together with this BA Agreement constitute the entire agreement between the parties with respect to the subject matter contained herein, and this BA Agreement supersedes and replaces any former business associate agreement or addendum entered into by the parties. This BA Agreement may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or facsimile signatures to this BA Agreement shall be deemed original signatures to this BA Agreement. No amendments or modifications to the BA Agreement shall be effected unless executed by both parties in writing.